Home router

Published: 2017-09-17 (last updated: 2017-10-30)

home router

This is just a project idea, not (yet) a finished project.

A home router is a computer which manages the Internet uplink for a client, and provides local connectivity. It is accessible via the Internet, and the software running on a router needs to be hardened against attackers. Attackers are searching for flaws in popular routers, because if they can breach their security, they get access to a large amount of computing and bandwidth resources.

The home router provides basic network services for the local network, such as a domain name service (DNS) caching resolver, dynamic host configuration (DHCP), wireless (using WPA2 and WPS) networks, wired network connectivity, communication with the service provider (e.g. using PPP and PPPoE) including authentication, a web server for configuration.

Clients are demanding increasing feature sets, including network storage, voice over IP (VoIP) endpoint, virtual private network (VPN) integration, data collector and broker for the Internet of things.

Lots of home routers are currently based on a small Linux distribution, and if a security issue is discovered in any subsystem, this likely leads to a compromise of the entire router. Secure update channels may not be available, and even if so, the fear that updating may introduce unforeseen behaviour keeps people away from updating their routers.

We would base a router on top of an off-the-shelf arm64 board, where MirageOS is already running, using kvm as hypervisor. Each network service would run as a separate virtual machine. Several services are already available as MirageOS unikernels, such as a caching DNS resolver, a DHCP server, a firewall with NAT, an MQTT implementation, a web server, ... A secure update channel, based on TUF, is currently under development.

The infrastructure for distributing binary updates would be some Linux host which compiles the above mentioned unikernels whenever a dependent library is updated or changes are rolled out to the unikernel code themselves.

Other required network services which are not yet implemented in OCaml, such as WPA2 or VoIP, would initially be based on a Linux virtual machine. MirageOS unikernels and Linux virtual machines can coexist.